IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Allowlist Elastic Endpoint in third-party antivirus apps Detections API »

›

Elastic Security APIs

edit

Elastic Security APIs

edit

You can use these APIs to interface with Elastic Security features:

Console supports sending requests to Kibana APIs. Prepend any Kibana API endpoint with kbn: and send the request via Console. For example: GET kbn:/api/index_management/indices

Detections API: Manage detection rules and alerts
Exceptions API: Create and manage rule exceptions
Lists API: Create source event value lists for use with rule exceptions
Timeline API: Import and export timelines
Cases API: Open and manage cases

Additionally, the Kibana Actions API is partially documented to enable opening and updating cases in external ticketing systems. For more information on Kibana Actions, see Alerting and Actions and action plugins.

API URLs

edit

For calls to the Default Kibana space, API endpoints are as follows:

<kibana host>:<port>/api/<endpoint>

Where:

<kibana host> is the host name of your Kibana instance.
<port> is port number of your Kibana instance.
<endpoint> is the API endpoint, such as detection_engine/rules or cases/configure.

If you are making calls to a Kibana space other than the Default space, the space identifier is part of the endpoint’s URL:

<kibana host>:<port>/s/<space URL>/api/<endpoint>

Where <space URL> is the URL identifier for the Kibana space.

You can find space URL identifiers on Edit space pages (Management → Spaces → <space name>) or by calling GET /api/spaces/space.

Authentication

edit

The Elastic Security APIs support key- and token-based authentication.

Key-based authentication

edit

To use key-based authentication, create an API key, then specify the key in the header of your API calls.

Token-based authentication

edit

For token-based authentication, use the same username and password that you use to log in to the Kibana UI. In a given HTTP tool, and when available, you can select to use its Basic Authentication option, which is where the username and password are stored in order to be passed as part of the call.

API calls

edit

All calls to APIs are stateless. Each call must include all the information Elastic Security needs to perform the request.

Requests must contain these headers:

kbn-xsrf: <value>, where <value> can be any alphanumeric string (for example, kbn-xsrf: kibana)
Content-Type: application/json (when the request contains a JSON payload)

For example, the following call uses the Detections API to retrieve the first 20 detection rules from the Kibana siem space:

curl -X GET "<kibana host>:<port>/s/siem/api/detection_engine/rules/_find"
-H 'kbn-xsrf: kibana' -u <username>:<password>

In dev mode, the Kibana server runs behind a proxy which adds a random path component to its URL. Considerations for basePath describes how to work with and disable the random path component.

« Allowlist Elastic Endpoint in third-party antivirus apps Detections API »